diff --git a/files/etc/systemd/user/move_old_logs.timer b/files/etc/systemd/user/move_old_logs.timer new file mode 100644 index 0000000000000000000000000000000000000000..f0b9b8329e81ca2990c2eca8ce8fa05632c399f0 --- /dev/null +++ b/files/etc/systemd/user/move_old_logs.timer @@ -0,0 +1,6 @@ +[Unit] +Description=timer for move_old_logs.service +[Timer] +# run once a year, on the 1st of January at 05:00:00am. +OnCalendar=*-1-1 05:00:00 +Unit=move_old_logs.service diff --git a/files/move_old_logs.sh b/files/move_old_logs.sh new file mode 100644 index 0000000000000000000000000000000000000000..141043f195df7caaca0242400242affcb52b7801 --- /dev/null +++ b/files/move_old_logs.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +# This script is intended to be run regularly and move logfiles from previous +# years to an archive directory. Logfiles from the current year are NOT moved, +# so they can be easily found. + +START_YEAR="2015" +CURRENT_YEAR="$( date +%Y )" +PREVIOUS_YEAR="$(( CURRENT_YEAR - 1 ))" + +cd "/var/log/subapp/${HOSTNAME}/" || exit 1 + +# create directories for old logfiles +for YEAR in ${START_YEAR}..${PREVIOUS_YEAR}; do + mkdir -p "old/${YEAR}" +done + +# move all old logfiles +for YEAR in ${START_YEAR}..${PREVIOUS_YEAR}; do + mv "Protokoll_SLUBArchiv_Erfolgreich-${YEAR}*.log" "old/${YEAR}/" + mv "Protokoll_SLUBArchiv_FEHLER-${YEAR}*.log" "old/${YEAR}/" + mv "sips.log.${YEAR}-*.lz" "old/${YEAR}/" + mv "subapp.log.${YEAR}-*.lz" "old/${YEAR}/" + mv "webservice.log.${YEAR}-*.lz" "old/${YEAR}/" +done diff --git a/handlers/main.yml b/handlers/main.yml index 18dca89f5c02a34988a5c1ecf13528a6e6b254af..d6cd015af7112c7d9c2be6665e2406ae0bfd1e3c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -42,3 +42,6 @@ - name: create PIDfiles command: systemd-tmpfiles --create +- name: daemon-reload + systemd: + daemon_reload: true diff --git a/tasks/install_move_logs.yml b/tasks/install_move_logs.yml new file mode 100644 index 0000000000000000000000000000000000000000..29985131abb85c1fcb5a9d96902cd8cd12dc5f52 --- /dev/null +++ b/tasks/install_move_logs.yml @@ -0,0 +1,29 @@ +--- +- name: install timer and script for moving old logs to archive + ansible.builtin.copy: + src: "{{ item.path }}" + dest: "/{{ item.path }}" + mode: "{{ item.mode }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + loop: + - path: "etc/systemd/user/move_old_logs.timer" + mode: "0644" + - path: "usr/local/bin/move_old_logs.sh" + mode: "0755" + notify: daemon-reload + +- name: install service for moving old logs to archive + ansible.builtin.template: + src: "etc/systemd/user/move_old_logs.service.j2" + dest: "/etc/systemd/user/move_old_logs.service" + mode: 0755 + owner: "root" + group: "root" + notify: daemon-reload + +- name: enable timer for moving old logs to archive + ansible.builtin.systemd: + name: "move_old_logs.timer" + state: started + enabled: true diff --git a/tasks/main.yml b/tasks/main.yml index fd82728995e0b596795f2a7a32f46e4caa562350..192bd59975b44b37b12f9f01d13707648982886a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -65,6 +65,10 @@ import_tasks: "install_ta_tools.yml" tags: [ta, apt] +- name: install scripts and services for moving old logs to archive + import_tasks: "install_move_logs.yml" + tags: [log, cleanup] + - name: cleanup remainders of METS-based SubApp import_tasks: cleanup_legacy.yml tags: [cleanup] diff --git a/templates/etc/systemd/user/move_old_logs.service.j2 b/templates/etc/systemd/user/move_old_logs.service.j2 new file mode 100644 index 0000000000000000000000000000000000000000..86f890db576852f0f0bdc38c772265bbe2f6cccb --- /dev/null +++ b/templates/etc/systemd/user/move_old_logs.service.j2 @@ -0,0 +1,33 @@ +[Unit] +Description=move_old_logs.sh +After=remote-fs.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/move_old_logs.sh +User={{ vault_subapp_user }} +Group={{ vault_subapp_group }} + +### Security features +# documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html +ProtectSystem=strict +ProtectHome=read-only +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +## RemoveIPC=true +## PrivateMounts=true +## MountFlags= +## SystemCallFilter is a Whitelist!!! +#SystemCallFilter=@debug,@file-system +#SystemCallErrorNumber=1337 + +[Install] +WantedBy=multi-user.target